David H. Lipman wrote:


>>> NYB is a simple boot sector infector.
> |
> | Which implies that it had root privileges.
> |
>
> No, it does not.


It does. Writing to the boot sector requires either write access to
\Device\PhysicalDriveX or \Device\VolumeX\DR0, both of which imply
Administrator group membership, or SeRestorePrivilege, which is granted only
to Administrator group, or would be equivalent to Administrator privileges
(since one could change ACLs or overwrite system binaries on the raw disk).

> Your POV is all wrong. It is not the ssytem of concern, its the data. The system has no
> value, the data on the system has worth and value.


The system integrity has direct implications on all data, both the stored
ones and the processes ones. Where exactly is access to my private Pr0n
collection a bigger issue than the system forwarding my entered online
banking password to some Ukraine stranger?

> You said "...since it's not in a

> wel-defined state anymore..." but legitimate software can also change the state.


Hint: What's the difference between "state" and "well-defined" state?

> it is the data's safety that leads to the conclusion that a system is
> compramised.

Nonsense. A system can be compromised without having changed any data yet,
though the data are still in danger that such a thing happens in the future.


> I am not abusing MSOE. I use it in combination with Fidolook and it makes up for MSOE's
> short comings.


Such, like, a header line longer than 8192 byte triggering a direct buffer
overflow and therefore immediate compromise just by marking (not even
reading) a posting?

> NYB is well defined, constrained and finite.


The necessary circumstances aren't, unless you're discussing purely
artificial setups.